Data techniques

What is claimed is: 1. A method of performing metadata tag processing in a security policy enforcement system, comprising: at an input/output (IO) metadata processor having a cache configured to store one or more rules of a direct memory access (DMA) policy, receiving, from a first untrusted fabric, a direct memory access (DMA) request directed to an address of a trusted second fabric; generating an unvalidated request based on the DMA request and at least one of the one or more rules; obtaining DMA data requested by the unvalidated request at the address of the trusted fabric and obtaining metadata tags corresponding to the DMA data, wherein the DMA data comprises one or more metadata tags indicating a state of the untrusted fabric; querying the cache to identify at least one rule indicating that a device from which the DMA request is received from the untrusted fabric is allowed to access one or more memory ranges, including the address of the trusted fabric, based on the metadata tags obtained; wherein when no rules from the cache are identified as matching obtained metadata tags, executing rule miss handling by performing at least one of the following: (i) rejecting the DMA request and (ii) redirecting the DMA request to an address separate from the trusted fabric; and when the at least one rule is found in the cache matching the obtained metadata tags, allowing the DMA request. 2. A system for performing metadata tag processing in a security policy enforcement system, comprising: an input/output (IO) cache; and an input/output (IO) metadata processor having a cache configured to store one or more rules of a direct memory access (DMA) policy, the IO metadata processor configured to: receive, from a first untrusted fabric, a direct memory access (DMA) request directed to an address of a trusted second fabric; generate an unvalidated request based on the DMA request and at least one of the one or more rules; obtain DMA data requested by the unvalidated request at the address of the trusted fabric and obtain metadata tags corresponding to the DMA data, wherein the DMA data comprises one or more metadata tags indicating a state of the untrusted fabric; querying the cache of the metadata processor to identify at least one rule indicating that a device from which the DMA request is received from the untrusted fabric is allowed to access one or more memory ranges, including the address of the trusted fabric, based on the metadata tags obtained; wherein when no rules from the cache are identified as matching obtained metadata tags, executing rule miss handling by performing at least one of the following: (i) rejecting the DMA request and (ii) redirecting the DMA request to an address separate from the trusted fabric; and when the at least one rule is found in the cache of the metadata processor matching the obtained metadata tags, allowing the DMA request. 3. The method of claim 1 , further comprising: when the DMA request is allowed, allowing reading of the address of the trusted fabric; and when the DMA request is allowed and the DMA request is a write request, allowing write back to the address of the trusted fabric. 4. The method of claim 3 , wherein allowing reading of the address and allowing write back is performed over an output channel between the IO metadata processor and the untrusted fabric. 5. The method of claim 1 , wherein the at least one rule based on the metadata tags indicates a set of addresses. 6. The method of claim 1 , further comprising storing device state information in an untrusted fabric device register file. 7. The method of claim 1 wherein obtaining the DMA data is over an initial channel from the trusted fabric to the IO metadata processor, the channel being private with respect to the untrusted fabric. 8. The method of claim 1 , wherein the untrusted fabric is at least one of a network device, ethernet DMA device, universal asynchronous receiver/transmitter (UART), and serial communication device. 9. The method of claim 1 , wherein executing rule cache miss handling further includes sending, from the IO metadata processor, an interrupt to a processor connected with the IO metadata processor. 10. The system of claim 2 , wherein the IO metadata processor is further configured to: when the DMA request is allowed, allow reading of the address of the trusted fabric; and when the DMA request is allowed and the DMA request is a write request, allow write back to the address of the trusted fabric. 11. The system of claim 10 , wherein allowing reading of the address and allowing write back is performed over an output channel between the IO metadata processor and the untrusted fabric. 12. The system of claim 2 , wherein the at least one rule based on the metadata tags indicates a set of addresses. 13. The system of claim 2 , wherein the IO metadata processor is further configured to store device state information in an untrusted fabric device register file. 14. The system of claim 2 , wherein the IO metadata processor is configured to obtain the DMA data over an initial channel from the trusted fabric to the IO metadata processor, the channel being private with respect to the untrusted fabric. 15. The system of claim 2 , wherein the untrusted fabric is at least one of a network device, Ethernet DMA device, universal asynchronous receiver/transmitter (UART), and serial communication device. 16. The system of claim 2 , wherein execution of rule cache miss handling further includes conveyance, from the IO metadata processor, of an interrupt to a processor connected with the IO metadata processor. 17. A method comprising acts of: receiving, from a device connected to an untrusted fabric of an untrusted domain, a direct memory access (DMA) request to access data at a memory address of a memory connected to a trusted fabric of a trusted domain, wherein the memory address has a corresponding metadata tag; obtaining one or more metadata tags associated with the DMA request, the one or more metadata tags comprising the metadata tag corresponding to the memory address and a metadata tag indicating a state of the device from which the DMA request is received; using the one or more metadata tags associated with the DMA request to query a rule cache storing one or more rules of a DMA policy for a rule indicating that the device connected to the untrusted fabric is allowed to access one or more memory ranges including the memory address of the memory connected to the trusted fabric; wherein when the one or more metadata tags do not match any rule in the rule cache, triggering an interrupt to be serviced by a processor; and when the rule is found in the rule cache matching the one or more metadata tags associated with the DMA request, allowing the DMA request granting the device connected to the untrusted fabric access to the memory address. 18. The method of claim 17 , further comprising an act of: in response to allowing the DMA request, inserting a rule into the rule cache, based at least in part on the one or more metadata tags associated with the DMA request. 19. The method of claim 18 , wherein: the one or more metadata tags associated with the DMA request comprise one or more input metadata tags; the processor returns one or more output metadata tags; and the rule inserted into the rule cache is further based on the one or more output metadata tags. 20. The method of claim 17 , wherein: the one or more metadata tags associated with the DMA request comprise one or more inpu